Threat hunting has become a hot topic. It’s clear that security pros have begun to recognize that detection tools and monitoring are not sufficient to do battle against today’s cyber threats. In a recent Crowd Research Threat Hunting Survey 79% of respondents said that threat hunting is a top security initiative for 2017.
However, despite the intent to become more proactive in their security approach, respondents said that 43% of their time is spent being reactive to threats and only 23% proactively seeking threats. And 2/3 of SOCs reported that they did not have a threat hunting platform to help them seek out threats.
As with any security initiative there’s a lot of factors that go into a program’s success. Enterprises security teams that want to engage in threat hunting need to consider a number of factors to make it a reality. While threat hunting can be a manual process, there are new solutions available that are custom built to get the job done. How? They help automate parts of the process so your team can speed up the discovery process and focus on incident response, instead of combing through logs and files manually.
Here are 4 key steps you need to put in place to get a threat hunting program jump started.
1. Find Your Hunters – they may be closer than your think. There’s been a lot of talk about who fits the profile of a threat hunter. Some argue that it’s limited to highly skilled security one percenters and consultants. While that may have been true in the past, it is possible to empower your existing internal security and IT teams to hunt. You just need to provide them with the right tools for the job. Which leads us to the next step.
2. Automate the Hunt - According to the Threat Hunting Survey it takes teams 38 days to detect and another 26 days to investigate threats without any automation. Enterprises that have some type of threat hunting platform employed saw a 2.5X and 2X improvement respectively.
While threat hunting includes some activities that defenders have historically used such as log analysis and incident response techniques, there are new threat hunting platforms built for the job. Tools like Infocyte HUNT can assist you with the hunt process to improve the speed and efficacy of your threat hunting program. These tools automate the search for threats and empower your internal security teams to hunt without esoteric knowledge. And the faster you can identify a threat, the less harm it can do.
For the mature enterprise SOC already hunting, Infocyte HUNT enables you to do away with the custom scripts and other one-host-at-a-time DFIR processes you use to validate any suspicious behaviors that your team detects. Now you can iteratively and effectively sweep all endpoints to find entrenched threats and beachheads hiding on any of your endpoints. Some SOCs are probably already doing a lighter, less scalable version of this now using a custom tool set or scripting out an endpoint querying tool.
3. Respond to Found Threats - Now that you’ve put automation in place, what do you do when you find a threat? A good threat hunting platform should give you detailed information on what has been discovered and the severity of the threat so it can be investigated further. Think of it as incident response triage. Infocyte HUNT gives malware and threat analysis drill-down that can easily be pivoted on, as well as isolation actions from a click of the mouse.
4. Repeat - Threat hunting is not an annual or quarterly activity - cyberthreats are constant. Hackers don’t take days off and your threat hunting program can’t afford to either. Automation is the key to ensuring you can regularly hunt for any compromises that have bypassed other defenses, without exhausting your resources.
Proactively hunting for post-compromise threats is quickly becoming a new standard approach for enterprise security. By following these 4 steps to automate the hunt for threats, enterprises can virtually eliminate attacker dwell time to limit damage and better protect networks.
Ready to start hunting? Request a demo of Infocyte HUNT.